Azure – A new blueprint – PCI-DSS v3.2.1 – is available

As you may already know, Microsoft has introduced the Blueprints feature quite some time ago (see https://docs.microsoft.com/en-au/azure/governance/blueprints/overview to know more).

At first you had to create your Blueprint from scratch but then samples have been added to help you.

Well a new Blueprint sample has just been added (PCI-DSS v3.2.1) to help you setting up your Azure governance to match the requirements for Payment Card Industry Data Security Standards compliance.

The PCI DSS is a global information security standard designed to prevent fraud through increased control of credit card data. Organizations that accept payments from credit cards must follow PCI DSS standards if they accept payment cards from the five major credit card brands. Compliance with PCI DSS is also required for any organization that stores, processes, or transmits payment and cardholder data.

The PCI-DSS v3.2.1 blueprint includes mappings to important PCI DSS controls, including:

  • Segregation of duties. Manage subscription owner permissions.
  • Access to networks and network services. Implement role-based access control (RBAC) to manage who has access to Azure resources.
  • Management of secret authentication information of users. Audit accounts that don’t have multi-factor authentication enabled.
  • Review of user access rights. Audit accounts that should be prioritized for review, including depreciated accounts and external accounts with elevated permissions.
  • Removal or adjustment of access rights. Audit deprecated accounts with owner permissions on a subscription.
    Secure log-on procedures. Audit accounts that don’t have multi-factor authentication enabled.
  • Password management system. Enforce strong passwords.
  • Policy on the use of cryptographic controls. Enforce specific cryptographic controls and audit use of weak cryptographic settings.
  • Event and operator logging. Diagnostic logs provide insight into operations that were performed within Azure resources.
  • Administrator and operator logs. Ensure system events are logged.
  • Management of technical vulnerabilities. Monitor missing system updates, operating system vulnerabilities, SQL vulnerabilities, and virtual machine vulnerabilities in Azure Security Center.
  • Network controls. Manage and control networks and monitor network security groups with permissive rules.
  • Information transfer policies and procedures. Ensure information transfer with Azure services is secure.

To start using this new sample, just go to your Azure Portal and search for blueprint

image

Leave a Comment

Your email address will not be published. Required fields are marked *